cavern.command_and_control.beaconing_pattern). You're welcome.- What: A Chinese-speaking APT tracked as CL-STA-1062 deployed a new custom .NET backdoor called TinyRCT against Southeast Asian government and critical infrastructure targets.
- Impact: At least 10 organizations were breached between October and December 2025, with attackers exfiltrating MS SQL data and entire directories of web server source code.
- Fix / mitigation: Hunt for the named IOCs (PerfWatson2.exe, MyAppDomainManager.dll, C2 45.32.113[.]172 and 139.180.134[.]221), block AppDomainManager injection, and audit ASPX web shells on internet-facing servers.
- Who's at risk: State-owned energy and government enterprises across Southeast Asia and East Asia, with prior activity tied to Taiwan web infrastructure.
A Chinese-speaking APT tracked by Palo Alto Networks Unit 42 as CL-STA-1062 breached at least 10 organizations across Southeast Asia between October and December 2025, targeting state-owned enterprises in the energy and government sectors. The campaign's centerpiece is TinyRCT, a previously undocumented .NET backdoor that runs commands, enumerates and exfiltrates files, captures screenshots, and wipes itself off the host.
This is not opportunistic crime. Unit 42 ties CL-STA-1062 to UAT-7237, the group Cisco Talos flagged in August 2025 for hitting Taiwanese web infrastructure, and traces related operations against strategic East Asian sectors back to March 2022. The targeting profile, custom tooling, and four-year persistence point to a sustained espionage mission against regional critical infrastructure.
What they took
In a September 2025 intrusion, the actor compromised a Southeast Asian government entity, dropped a web shell, and exfiltrated data from an MS SQL server. During the same operation they ran network reconnaissance against a second government entity in the same country, scouting lateral movement and broader access. In one case they staged and exfiltrated an entire directory of web server source code. Source code theft is a force multiplier here: it hands the attacker a map for finding further vulnerabilities and forging trusted access.
The intrusion chain
Since at least mid-2025, CL-STA-1062 has scanned regional entities for vulnerabilities, then established footholds via ASPX web shells. Those shells handle initial reconnaissance and outbound beaconing to attacker infrastructure before pulling additional payloads, including SoftEther VPN components and RAR archives containing the group's toolkit. The kit leans heavily on open-source utilities: Mimikatz for credentials, Yuze as a SOCKS5 proxy, and VNT as a VPN, all to enable lateral movement.
The operators disguise their binaries as trusted software, using filenames like XDRAgent.exe, vmtools.exe, and vmwared.exe to blend into endpoints running VMware tooling or EDR agents. Defenders relying on filename-based allowlisting or casual analyst review will miss these.
TinyRCT arrives as chrome_setup.zip containing a legitimate chrome_setup.exe, a chrome_setup.exe.config file, and a rogue MyAppDomainManager.dll. The config redirects the .NET runtime to load the malicious DLL via AppDomainManager injection. That DLL acts as a downloader, contacting 139.180.134[.]221 to retrieve the payload PerfWatson2.exe. Monitor .NET applications for unexpected AppDomainManager redirects and config files placed alongside signed executables.
Inside TinyRCT
TinyRCT (PerfWatson2.exe) is a lightweight RAT built for stealth and durability. It performs system reconnaissance, command execution, file uploads, screenshot capture, and remote control, then wipes its own traces. It includes sandbox-evasion checks to avoid detonating in analysis environments. The backdoor maintains a persistent channel to C2 at 45.32.113[.]172 over HTTP, but encrypts all exchanged data with AES-128 in CBC mode, so plain HTTP inspection alone will not reveal the traffic content.
The malware operates on a beaconing model with a default 10-second sleep interval. It polls the C2 for instructions using GET requests and ships stolen data back via POST requests. That regular cadence to a fixed hosting IP is a strong network-detection opportunity even when payloads are encrypted.
Why this matters
CL-STA-1062 reflects a pragmatic operating model: commodity open-source tools for the noisy work of lateral movement, plus a purpose-built backdoor for the capabilities that matter. The willingness to develop custom malware like TinyRCT, combined with a deliberate focus on energy and government critical infrastructure, signals a group that will keep operating in the region. For state-owned operators in Southeast Asia and East Asia, this is an active threat, not a retrospective.
Block the known C2 infrastructure and hunt your environment for the named indicators. Treat internet-facing servers as the likely entry point and audit them for ASPX web shells and anomalous outbound beaconing.
- Block and alert on C2 IPs 45.32.113[.]172 and 139.180.134[.]221.
- Hunt for PerfWatson2.exe, MyAppDomainManager.dll, and chrome_setup.zip/.exe/.config artifacts.
- Flag .NET executables loading an AppDomainManager from an adjacent config file.
- Audit internet-facing IIS/ASPX servers for web shells and unexpected outbound HTTP from server processes.
- Detect masquerading: validate signatures on XDRAgent.exe, vmtools.exe, vmwared.exe, and similar VMware/EDR-named binaries.
- Alert on consistent ~10-second HTTP GET/POST beaconing to fixed hosting-provider IPs, even when payloads are AES-encrypted.
Questions about your exposure?
RedEye Security provides assessments for organizations that need to understand their real risk.
Talk to us